[Dshield] OpenDNS
Jason D. Montgomery
jason at atgi.com
Thu Feb 14 19:17:15 GMT 2008
Indeed, this if for protecting end users, not servers (people shouldn't be browsing the web from servers).....
Networks are segmented, users would want OpenDNS, for other parts of the network I'm not sure it would provide any real protection.....I'm not even sure if they do anything with MX records.
later,
jason
----------------------------------
j. montgomery <jason at atgi.com>
Sr. Software Specialist/Security Specialist
CISSP, GSEC, GNET, MCAD, MCSA
ATGi
E8548FA88CABD7C170F36AA7AB23E536
________________________________
From: list-bounces at lists.dshield.org on behalf of Håkon Alstadheim
Sent: Thu 2/14/2008 1:02 PM
To: General DShield Discussion List
Subject: Re: [Dshield] OpenDNS
Jason D. Montgomery wrote:
>
> I've been using OpenDNS at home for a while now - it's much more then just a DNS service.
>
> I highly recommend it for the following reasons:
>
>
[snip various ways of doctoring dns-query results]
You definitely do NOT want this if you run any kind of mail filtering.
Looking up and verifying the validity of dns domain names is vital to
that functionality. This kind of functionality for web-users belongs at
the users desktop if it belongs anywhere, with the possible exception of
blocking unsavory sites, which belongs in your perimeter firewall
(blocking IP-adresses without crippling your DNS-service).
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans. http://www.sans.org/info/15826
More information about the list
mailing list